Authentication. Katarina

Similar documents
Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Warm Up to Identity Protocol Soup

SAML-Based SSO Solution

SAML-Based SSO Solution

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Configuration Guide - Single-Sign On for OneDesk

Morningstar ByAllAccounts SAML Connectivity Guide

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Your Auth is open! Oversharing with OpenAuth & SAML

Access Management Handbook

National Identity Exchange Federation. Terminology Reference. Version 1.0

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

CA SiteMinder Federation

SAP Security in a Hybrid World. Kiran Kola

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

Oracle Access Manager Configuration Guide

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Network Security Essentials

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Safelayer's Adaptive Authentication: Increased security through context information

CA CloudMinder. SSO Partnership Federation Guide 1.53

Oracle Utilities Opower Solution Extension Partner SSO

Single Sign-On for PCF. User's Guide

Configure Unsanctioned Device Access Control

Introduction to application management

Integrated Security Context Management of Web Components and Services in Federated Identity Environments

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

Novell Access Manager 3.1

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS

IBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ]

All about SAML End-to-end Tableau and OKTA integration

2. HDF AAI Meeting -- Demo Slides

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

User Directories. Overview, Pros and Cons

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Authentication in the Cloud. Stefan Seelmann

NETOP PORTAL ADFS & AZURE AD INTEGRATION

Kerberos for the Web Current State and Leverage Points

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Identity Provider for SAP Single Sign-On and SAP Identity Management

Integration Patterns for Legacy Applications

Unified Secure Access Beyond VPN

IMPROVING MOBILE AUTHENTICATION FOR PUBLIC SAFETY AND FIRST RESPONDERS

CoreBlox Integration Kit. Version 2.2. User Guide

INDIGO AAI An overview and status update!

Integration of the platform. Technical specifications

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

Security Assertions Markup Language (SAML)

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Access Manager Applications Configuration Guide. October 2016

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

Trusted identities for the cloud using open source technologies where Open ecard App meets SkIDentity

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Liferay Security Features Overview. How Liferay Approaches Security

CA CloudMinder. SSO Partnership Federation Guide 1.51

Przejmij kontrolę nad użytkownikiem, czyli unifikacja dostępu do aplikacji w zróżnicowanym środowisku

Enterprise Adoption Best Practices

Configuring Alfresco Cloud with ADFS 3.0

Qualys SAML & Microsoft Active Directory Federation Services Integration

Partner Center: Secure application model

SSO Integration Overview

Web Based Single Sign-On and Access Control

SAML-Based SSO Configuration

Lesson 13 Securing Web Services (WS-Security, SAML)

WSO2 Identity Management

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

Canadian Access Federation: Trust Assertion Document (TAD)

eid Interoperability for PEGS WS-Federation

Canadian Access Federation: Trust Assertion Document (TAD)

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Google Identity Services for work

Kerberos on the Web Thomas Hardjono

1. Federation Participant Information DRAFT

[GSoC Proposal] Securing Airavata API

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

Extending Services with Federated Identity Management

Standards-based Secure Signon for Cloud and Native Mobile Agents

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

SailPoint IdentityIQ 6.4

Pattern Recognition and Applications Lab AUTHENTICATION. Giorgio Giacinto.

Federated Identity Manager Business Gateway Version Configuration Guide GC

API Gateway. Version 7.5.1

SAP Single Sign-On 2.0 Overview Presentation

Cloud Access Manager Configuration Guide

Cloud Secure Integration with ADFS. Deployment Guide

Authentication Guide

KEY DISTRIBUTION AND USER AUTHENTICATION

Microsoft ADFS Configuration

SELF SERVICE INTERFACE CODE OF CONNECTION

Transcription:

Authentication Katarina Valalikova @KValalikova k.valalikova@evolveum.com 1

Agenda History Multi-factor, adaptive authentication SSO, SAML, OAuth, OpenID Connect Federation 2

Who am I? Ing. Katarina Valaliková FIIT STU BA Evolveum s.r.o. Java Developer Identity Engineer 3

Back to the topic 4

Authentication Verification if the user is who he claims to be. 5

Authentication Three main factors: Something that I know - password, passphrase, Something that I have - token, certificate, Something that I am - biometrics, 6

Authentication The most usual use case username & password 7

Brief history 8

Authentication First used in 60s in 20th century - MIT Username and password saved in plain text on the filesystem Hashing Multi-factor authentication Adaptive authentication 9

Authentication <Cthon98> hey, if you type in your pw, it will show as stars <Cthon98> ********* see! <AzureDiamond> hunter2 <AzureDiamond> doesnt look like stars to me <Cthon98> <AzureDiamond> ******* <Cthon98> thats what I see <AzureDiamond> oh, really? <Cthon98> Absolutely <AzureDiamond> you can go hunter2 my hunter2-ing hunter2 <AzureDiamond> haha, does that look funny to you? <Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as ******* <AzureDiamond> thats neat, I didnt know IRC did that <Cthon98> yep, no matter how many times you type hunter2, it will show to us as ******* <AzureDiamond> awesome! <AzureDiamond> wait, how do you know my pw? <Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw <AzureDiamond> oh, ok. 10

Multi-factor authentication Combination of more than 1 factors something that I know something that I have something that I am 11

Adaptive authentication Risk-factor authentication Deciding if the user needs to use additional authentication Example: internet banking 12

Adaptive authentication Device recognition Do I log in with the known device? 13

Adaptive authentication Device recognition Threat services IP Whitelist IP Blacklist 14

Adaptive authentication Device recognition Threat services Directory lookup Checking user s standard profile against known directory 15

Adaptive authentication Device recognition Threat services Dictionary lookup Geo-location Checking typical user location where he logs in from 16

Adaptive authentication Device recognition Threat service Dictionary lookup Geo-location Geo-velocity If I log in from Kosice, I won t log in from USA in 10mins. 17

Adaptive authentication Device recognition Threat service Dictionary lookup Geo-location Geo-velocity Geo-Fencing Geographic barriers 18

Adaptive authentication Device recognition Threat service Dictionary lookup Geo-location Geo-velocity Geo-fencing Behavioural biometrics Suspicious user s keystroke and mouse movements 19

Adaptive authentication Device recognition Threat services Dictionary lookup Geo-location Geo-velocity Geo-fencing Behavioural biometrics Identity Governance Decisions made according to the user s access rights - risk factor 20

Adaptive authentication Device recognition Threat service Dictionary lookup Geo-location Geo-velocity Geo-fencing Behavioural biometrics Identity Governance User behaviour analytics How does the user usually behave? 21

HTTP Authentication (rfc2617) simple challenge-response authentication mechanism used by a server to challenge a client request used by a client to provide authentication information 22

HTTP Authentication (rfc2617) extensible, case-insensitive token to identify authentication scheme comma-separated list of attribute-value pairs carrying the parameters necessary for achieving authentication 23

HTTP Authentication (rfc2617) 401 (Unauthorized) response is used by a server to challenge the authorization of a user agent Response must include WWW-Authenticate header containing at least one applicable challenge 24

HTTP Authentication (rfc2617) Responsibility for parsing WWW-Authentication is left for the user agents, bacause WWW-Authentication header can contain more than one challenge Challenge can contain comma-separated list of authentication parameters 25

HTTP Authentication (rfc2617)./newissue.sh POST -d {issue} http://jira/rest/issue Authentication required HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm= jira./newissue.sh -u katka -p password POST -u katka:password -d {issue} http://jira/rest/issue Successful HTTP/1.1 200 OK 26

Single Sign-On Unified log in process for different applications Log in once and share it with others Just one username and password 27

Single Sign-On Service provider - Relying party end application which the user wants to access authentication is left to Identity Provider 28

Single Sign-On Identity provider service providing authentication for user creates a session for logged in user 29

Single Sign-On Session information about logged in user for some period of time logged-in user doesn t need to log in again 30

Single Sign-On SP IdP 31

Single Sign-On 1. SP IdP 1. User who hasn t been authenticated yet wants to use the application (SP - Service Provider) 32

Single Sign-On 1. SP 2. IdP 2. Application which is a part of SSO solution verifies from IdP if the user was authenticated before. 33

Single Sign-On 1. SP 2. 3. IdP 3. IdP found out that the user hasn t been logged in yet. User is redirected to the login page. 34

Single Sign-On 1. SP 2. 3. 4. Credentials IdP 4. User fill in his credentials and submit the login form. 35

Single Sign-On 1. SP 5. 2. 3. 4. Credentials Session IdP 5. IdP successfully authenticates user. User is redirected to the origin application (SP). IdP creates a SSO session for the user. 36

Single Sign-On 1. SP 5. 2. 3. 4. Credentials Session IdP SP2 37

Single Sign-On 1. SP 5. 2. 3. 4. Credentials Session IdP 6. SP2 38

Single Sign-On 1. SP 5. 2. 3. 4. Credentials Session IdP 6. SP2 7. 39

Single Sign-On 1. SP 5. 2. 3. 4. Credentials Session IdP 6. SP2 8. 7. 40

SAML Security Assertion Markup Language XML-based framework for describing and exchanging security information between online partners Expressed in the form of portable SAML assertions Applications across security domain boundaries can trust OASIS SAML standard defines precise syntax and rules for: requesting creating communicating using SAML assertions 41

SAML Different drives behind of adoption of the SAML standard: Web SSO - standard vendor-independent grammar and protocol for transferring information about a user from one web server to another Federated identity - to agree on and establish a common, shared name identifier to refer to the user in order to share information about the user across the organizational boundaries. Web services and other industry standards - profile for how to use SAML's rich assertion constructs within a WS-Security security token that can be used, for example, to secure web service SOAP message exchanges 42

SAML Participants SAML Asserting party System entity making SAML assertion Sometimes called SAML authority SAML Relying party System entity using received assertion 43

SAML System entities can operate in variety of SAML roles define SAML services and protocol messages they will use defined assertions they will generate or consume for SSO - Identity Provider, Service Provider 44

SAML Assertion Heart of the SAML assertion is subject user, computer, organization to be authenticated referred also as a principal 45

SAML 46

SAML Example 47

OAuth 2.0 Security protocol used to protect a large number of web APIs Used to connect websites to one another Powers native and mobile applications connecting to cloud services 48

OAuth 2.0 Delegation protocol a means of letting someone who controls a resource allow a software application to access that resource on their behalf without impersonating them 49

OAuth 2.0 as specified in RFC 6749: The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. 50

51

52

OAuth 2.0 Components Resource owner - has access to the API and can delegate access to the API Protected resource - component that the resource owner has access to. Client - the piece of the software that accesses the protected resource on behalf of the resource owner Authorization server - issues OAuth access tokens 53

OAuth 2.0 - Obtaining authorization Resource owner User s agent Authorization server Client 54

OAuth 2.0 - Obtaining authorization Resource owner 1. User s agent 1. Authorization server Client 55

OAuth 2.0 - Obtaining authorization Resource owner 2. 1. 2. User s agent 1. Authorization server Client 56

OAuth 2.0 - Obtaining authorization Resource owner 2. 1. User s agent 1. 3. 2. 3. Authorization server Client 57

OAuth 2.0 - Obtaining authorization Resource owner 2. 1. User s agent 1. 3. 2. 3. Authorization server 4. Client 58

OAuth 2.0 - Obtaining authorization Resource owner 2. 1. User s agent 1. 3. 2. 3. Authorization server Client 4. 5. 59

Social login 60

OpenID Connect simple identity layer on top of the OAuth 2.0 enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server enables Clients to obtain basic profile information about the End-User in an interoperable and REST-like manner OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process 61

Federation 62

Thanks for the attention. Any questions? 63

Summary Authentication HTTP Authentication Multi-factor authentication Adaptive authentication SSO SAML OAuth 2.0 OpenID Connect Federation 64

Diplomové a bakalárske práce Smart audit log analysis Role Mining Visualisation of Identity Management system configuration Intelligent identity information processing Command line tool Mobile or self-service application 65

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback